b'                   AUDIT REPORT\n\n\nAudit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and\n\n                             Electronic Safe\n\n\n\n                   OIG-13-A-16 April 1, 2013\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n\n                              NRC\xe2\x80\x99s Web site at:\n\n            http:/www.nrc.gov/reading-rm/doc-collections/insp-gen\n\x0c                                UNITED STATES\n                        NUCLEAR REGULATORY COMMISSION\n                                 WASHINGTON, D.C. 20555-0001\n\n\n\nOFFICE OF THE\nINSPECTOR GENERAL\n\n\n                                                  April 1, 2013\n\n\n\n\nMEMORANDUM TO:              R. William Borchardt\n                            Executive Director for Operations\n\n\n\nFROM:                       Stephen D. Dingbaum /RA/\n                            Assistant Inspector General for Audits\n\n\nSUBJECT:                    AUDIT OF NRC\xe2\x80\x99S SAFEGUARDS INFORMATION LOCAL\n                            AREA NETWORK AND ELECTRONIC SAFE\n                            (OIG-13-A-16)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) audit report titled Audit of NRC\xe2\x80\x99s\nSafeguards Information Local Area Network and Electronic Safe.\n\nThe report presents the results of the subject audit. Agency comments provided at the\nMarch 20, 2013, exit conference have been incorporated, as appropriate, into this\nreport.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow-up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915 or Beth Serepca, Team Leader, Security and Information Management Team,\nat 415-5911.\n\nAttachment: As stated\n\x0c                       Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nEXECUTIVE SUMMARY\n\n\n   BACKGROUND\n\n        The U.S. Nuclear Regulatory Commission (NRC) developed its\n        Safeguards Information Local Area Network and Electronic Safe (SLES)\n        system to store and manage electronic Safeguards Information (SGI)\n        documents.\n\n        SLES features two distinct components: a secure wireless Local Area\n        Network (LAN) and an electronic safe (E-Safe) for SGI documents. The\n        SGI LAN component is a network with a secure architecture and is\n        dedicated for use in SGI data processing. The E-Safe component is a\n        secure electronic data repository for SGI records. E-Safe users are able\n        to create, capture, search, and retrieve data from this repository. The\n        adoption of these various techniques into SGI operations was intended to\n        ensure that E-Safe will contain all SGI created or received by NRC,\n        thereby eliminating the need to maintain separate, individual collections of\n        SGI.\n\n\n   OBJECTIVE\n\n        The audit objective was to determine if SLES meets its operational\n        capabilities and applicable security controls.\n\n\n   RESULTS IN BRIEF\n\n        NRC has developed a secure electronic system to store SGI while also\n        reducing paper SGI and the space needed to store SGI documents;\n        however, opportunities exist for improvement. Specifically, the system (A)\n        does not fully meet user needs and (B) uses inconsistent access rights.\n\n\n   RECOMMENDATIONS\n\n        This report makes recommendations to improve the agency\xe2\x80\x99s SLES\n        system. A list of these recommendations appears on page 21 of this\n        report.\n\n\n\n\n                                          i\n\x0c                   Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nAGENCY COMMENTS\n\n    At an exit conference on March 20, 2013, agency management stated\n    their agreement with the findings and recommendations in this report.\n    Agency management also provided supplemental information that has\n    been incorporated into this report, as appropriate. As a result, the agency\n    opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                      ii\n\x0c                     Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       CFR \xe2\x80\x93 Code of Federal Regulations\n\n       CD \xe2\x80\x93 Compact Disc\n\n       DVD \xe2\x80\x93 Digital Versatile Disc\n\n       E-Safe \xe2\x80\x93 Electronic Safe\n\n       HSPD-12 \xe2\x80\x93 Homeland Security Presidential Directive 12\n\n       IT \xe2\x80\x93 Information Technology\n\n       LAN \xe2\x80\x93 Local Area Network\n\n       NRC \xe2\x80\x93 U.S. Nuclear Regulatory Commission\n\n       NSIR \xe2\x80\x93 Office of Nuclear Security and Incident Response\n\n       OIG \xe2\x80\x93 Office of the Inspector General\n\n       OIS \xe2\x80\x93 Office of Information Services\n\n       SGI \xe2\x80\x93 Safeguards Information\n\n       SLES \xe2\x80\x93 Safeguards Information Local Area Network and Electronic Safe\n\n\n\n\n                                       iii\n\x0c                           Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nTABLE OF CONTENTS\n\n        EXECUTIVE SUMMARY ............................................................................ i\n\n        ABBREVIATIONS AND ACRONYMS ........................................................ iii\n\n        I.      BACKGROUND .............................................................................. 1\n\n        II.     OBJECTIVE .................................................................................... 7\n\n        III.    FINDINGS ....................................................................................... 7\n\n                A. SLES Does Not Fully Meet User Needs ..................................... 8\n\n                B. Access Rights Are Inconsistent ................................................ 17\n\n        IV.     CONSOLIDATED LIST OF RECOMMENDATIONS ..................... 21\n\n        V.      AGENCY COMMENTS ................................................................. 22\n\n\n        APPENDIX\n\n\n        OBJECTIVE, SCOPE, AND METHODOLOGY ........................................ 23\n\n\n\n\n                                                 iv\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nI.      BACKGROUND\n\n                SLES Overview\n\n                The U.S. Nuclear Regulatory Commission (NRC) developed its\n                Safeguards Information Local Area Network and Electronic Safe (SLES)\n                system to store and manage electronic Safeguards Information (SGI)1\n                documents. SLES was created in response to the Commission\'s January\n                2004 directive2 that staff "develop and implement a secure intranet\n                capability that allows appropriate NRC staff to share safeguards and\n                classified information3 internally in a secure and effective manner."\n\n                SLES was created to meet the following business needs:\n\n                    Provide a secure network for authorized users to access SGI\n                    documents electronically.\n                    Reduce the volume of SGI document storage space.\n                    Act as a secure SGI records repository in compliance with National\n                    Archives and Records Administration requirements.\n                    Enable record and document management (i.e., add, store, search,\n                    retrieve, collaborate, and disposition) of SGI in a centralized electronic\n                    document management system.\n\n                Prior to SLES, SGI was generated and maintained by NRC employees\n                who were authorized as SGI custodians. These custodians used secure\n                safes to control the information and ensure protection from unauthorized\n                disclosure. While some electronic files were stored on compact discs\n                (CD) and removable hard disks, most of the SGI documents were in paper\n                (hardcopy) format. Regardless of format, SGI was stored in either lock\n                bar cabinets or safes.4 Over time, managing SGI hardcopy, individual\n                CDs, and files on removable hard disks in the secure lock bar cabinets\n\n1\n  SGI is a special category of sensitive unclassified information to be protected as authorized by Section\n147 of the Atomic Energy Act. SGI concerns the physical protection of operating power reactors, spent\nfuel shipments, strategic special nuclear material, or other radioactive material. While SGI is considered\nsensitive unclassified information, its handling and protection more closely resembles the handling of\nclassified confidential information than other sensitive unclassified information.\n2\n  Staff Requirements Memorandum M040114A, "Briefing on the Status of OCIO Programs, Performance,\nand Plans," dated January 30, 2004.\n3\n  Only SGI is stored in SLES; NRC does not have an electronic system for storing classified information.\n4\n  Lock bar cabinets are steel file cabinets with a combination lock that secures all of the file drawers.\nPaper SGI is required to be stored in lock bar cabinets but may also be stored in safes with classified\ninformation.\n                                                     1\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                had become increasingly difficult, which caused delays in locating,\n                accessing, and sharing SGI with authorized staff. This led to NRC\xe2\x80\x99s\n                development and implementation of a secure intranet capability that would\n                allow authorized NRC staff in the headquarters and regional offices to\n                share SGI in a secure and effective manner.\n\n                The Office of Nuclear Security and Incident Response (NSIR) began using\n                SLES in 2008. In 2009, NRC validated the SLES architecture to ensure\n                the scalability and security of the system prior to its deployment\n                agencywide. SLES officially went \xe2\x80\x9clive\xe2\x80\x9d at NRC headquarters in January\n                2010, and then on a staggered basis to the NRC regional offices and\n                resident inspector sites, with full implementation by May 2012.\n\n                SLES Features\n\n                SLES features two distinct components: a secure wireless Local Area\n                Network (LAN) and an electronic safe (E-Safe) for SGI documents. The\n                SGI LAN component is a network with a secure architecture and is\n                dedicated for use in SGI data processing. The SGI LAN essentially\n                provides access to E-Safe via kiosk workstations, desktop terminals, or\n                laptops.5 The E-Safe component is a secure electronic data repository for\n                SGI records. E-Safe users are able to create, capture, search, and\n                retrieve data from this repository. Records are captured in E-Safe through\n                scanning paper copies, uploading documents from CDs and Digital\n                Versatile Discs (DVD), and creating documents within the system itself.\n                The adoption of these various techniques into SGI operations was\n                intended to ensure that E-Safe will contain all SGI created or received by\n                NRC, thereby eliminating the need to maintain separate, individual\n                collections of SGI.\n\n                E-Safe stores all SGI documents in \xe2\x80\x9clocked\xe2\x80\x9d electronic folders. NRC\n                employees must follow a multistep process to obtain access to these\n                folders and documents. First, the employee must create an SLES user\n                account by submitting a form to the SLES help desk. Next, the\n                employee\xe2\x80\x99s branch chief must email the SLES help desk to specify which\n\n\n\n5\n There are three different ways to access SLES depending on the user. Most users will access SLES via\none or two shared kiosk workstations within an office. Frequent SLES users may have their own SLES\ndesktop computer terminal. Finally, resident inspectors located at nuclear power plant sites are provided\nan SLES laptop.\n                                                     2\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                documents the employee should be authorized to read. This authorization\n                serves as the \xe2\x80\x9cneed-to-know.\xe2\x80\x9d6 Finally, the SLES help desk assigns the\n                employee to one or more user groups7 that have the ability to read those\n                documents.\n\n                SLES also provides features that do not involve E-Safe. The system\n                contains electronic collaboration rooms where users can develop and edit\n                SGI documents in a secure and protected environment, and it has a\n                secure email function where users can email SGI documents using\n                approved encryption protocols.\n\n                SLES Security\n\n                The SLES LAN is isolated from the NRC LAN, Internet, and all other\n                networks to enhance security and prevent migration of SGI data off the\n                SLES system. The system uses Virtual Private Network technology to\n                ensure secure encrypted connections between remote locations. Security\n                is further enhanced by using multi-factor authentication. Authenticating to\n                SLES is done through an individual\xe2\x80\x99s Personal Identity Verification card,8\n                which extends security to SLES through a well-established, organization-\n                wide identity verification infrastructure. Further, to access the E-Safe\n                component of SLES, users must have an additional user identification and\n                password.\n\n                The SLES system is designed to provide data protection and availability\n                through regular periodic server file backups and through a redundant\n                secondary (\xe2\x80\x9cfailover\xe2\x80\x9d) system at NRC\xe2\x80\x99s Region IV office location. The\n                purpose of the failover system is to ensure that the SLES system can\n                remain available to users and that data would not be lost in the event that\n                the primary system at NRC headquarters becomes nonfunctional. The\n                failover site houses a duplicate set of servers that contain a mirror image\n                of the primary site data servers. In an event where the headquarters site\n\n6\n  \xe2\x80\x9e\xe2\x80\x9eNeed-to-know\xe2\x80\x9f\xe2\x80\x9f means a determination by a person having responsibility for protecting SGI that a\nproposed recipient\xe2\x80\x99s access to SGI is necessary in the performance of official, contractual, licensee,\napplicant, or certificate holder employment.\n7\n  All user groups are assigned to specific folders that contain SGI documents. Users assigned to a user\ngroup get access rights to all folders and documents assigned to that user group.\n8\n  On August 27, 2004, President George W. Bush signed Homeland Security Presidential Directive 12\n(HSPD-12), \xe2\x80\x9cPolicy for a Common Identification Standard for Federal Employees and Contractors.\xe2\x80\x9d\nHSPD-12 directed the implementation of a new standardized badging process, which was designed to\nenhance security, reduce identity fraud, and protect the personal privacy of those issued Government\nidentification.\n                                                     3\n\x0c                                   Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                  is not available for the system users, the secondary site would become the\n                  primary. See Figure 1 for a depiction of the SLES network topology map.9\n\n\n                                    Figure 1: SLES Network Topology Map\n\n\n\n\n                  Source: NRC\n\n\n\n\n9\n    The failover site is depicted by the green box labeled \xe2\x80\x9cCOOP SLES Server Room.\xe2\x80\x9d\n                                                      4\n\x0c                                 Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                Program Offices\n\n                On October 1, 2011, NRC transitioned ownership of the SLES system\n                from NSIR to the Office of Information Services (OIS). Under this\n                arrangement, OIS manages the entire hardware infrastructure and tasks\n                associated with the system\xe2\x80\x99s operating maintenance for the secure LAN\n                and application. OIS is also responsible for project management, help\n                desk support, system operations, and maintenance of SLES. NSIR, the\n                creator and original SLES system owner, manages the E-Safe software\n                application that is hosted on the servers maintained by OIS. NSIR\n                handles E-Safe issues dealing with the system\xe2\x80\x99s business process, for\n                example, adding users to the application, maintaining records taxonomy,\n                and giving permission to access SGI folders or documents. NSIR is\n                essentially responsible for the SGI data within SLES.10 See Figure 2 for\n                more information on OIS and NSIR SLES roles and responsibilities.\n\n                Figure 2: OIS and NSIR SLES Roles and Responsibilities\n\n\n\n\n                Source: NRC\n\n\n\n\n10\n  It should be noted that the SGI data is not owned by the SLES system or NSIR, but rather by the\nrespective departments/authors that it came from.\n                                                    5\n\x0c                                    Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n\n                  Program Resources and Costs\n\n                  NRC receives SLES support from a nine-member contractor team11 under\n                  a single contract for two types of services: (1) Operations and\n                  Maintenance and (2) Records Management. After the system ownership\n                  transition from NSIR to OIS, OIS assumed the Operations and\n                  Maintenance (help desk and operations) responsibility from NSIR while\n                  NSIR maintained control of the Records Management (paper SGI\n                  scanning into SLES) portion. OIS has committed .33 full-time equivalent\n                  personnel to SLES; NSIR removed all full-time equivalent personnel from\n                  SLES after it transitioned system ownership to OIS in 2011.\n\n\n                  NRC paid approximately $5.3 million to develop SLES and pays\n                  approximately $1.2 million annually for its SLES contract. Of this amount,\n                  roughly $831,000 goes to the support contractor, $315,000 is applied to\n                  software, and $78,000 is targeted for hardware.\n\n\n\n\n11\n     The contractor team consists of seven full-time and two part-time members.\n                                                       6\n\x0c                          Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nII.    OBJECTIVE\n\n           The audit objective was to determine if SLES meets its operational\n           capabilities and applicable security controls. The report appendix contains\n           information on the audit scope and methodology.\n\n\nIII.   FINDINGS\n\n           NRC has developed a secure electronic system to store SGI while also\n           reducing paper SGI and the space needed to store SGI documents;\n           however, opportunities exist for improvement. Specifically, the system (A)\n           does not fully meet user needs and (B) uses inconsistent access rights.\n\n\n\n\n                                             7\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nA.              SLES Does Not Fully Meet User Needs\n\n                Information Technology (IT) Systems should improve agency productivity\n                and efficiency while reducing paper.12 SLES was created to allow NRC\n                staff to share SGI in a secure and effective manner. However, SLES does\n                not fully meet user needs, and while it has reduced the amount of SGI\n                paper documents maintained by NRC offices, a significant amount still\n                remains. This has occurred because NRC management has not given\n                SLES high priority, specifically:\n\n                        There is no single individual who serves as a business\n                        \xe2\x80\x9cchampion\xe2\x80\x9d13 for integrating SLES into the NRC business process.\n                        NRC lacks adequate communication channels to discuss system\n                        issues between SLES staff and its users.\n\n                As a result, the system is not being used to its potential and more\n                resources must be used to maintain paper SGI records, possibly resulting\n                in fiscal waste.\n\n                Information Technology Systems Should Improve Productivity and\n                Efficiency While Reducing Paper\n\n                IT Systems should improve agency productivity and efficiency while\n                reducing paper. The Paperwork Reduction Act of 1995 states that Federal\n                agencies should ensure that IT is acquired, used, and managed to\n                improve performance of agency missions. The act also promotes the use\n                of IT by agencies to improve the productivity, efficiency, and effectiveness\n                of agency programs. Finally, it states that agencies should minimize the\n                cost of the creation, collection, maintenance, use, and dissemination of\n                information, including the use of technology to reduce information\n                collection burdens.\n\n                According to an NRC Staff Requirements Memorandum from January\n                2004, the Commission directed that staff "develop and implement a secure\n                intranet capability that allows appropriate NRC staff to share safeguards\n                and classified information internally in a secure and effective manner."\n\n12\n  Paperwork Reduction Act of 1995.\n13\n  A champion is a person who voluntarily works to facilitate the adoption, implementation, and success of\na cause, policy, program, project, or product.\n\n\n                                                     8\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n\n                SLES Is Not Meeting User Needs and a Large Amount of Paper SGI\n                Still Remains\n\n                SLES does not fully meet user needs. Based on interviews with 26 active\n                SLES users, auditors identified the following common themes:\n\n                        SLES official folder and document organization is confusing and not\n                        intuitive \xe2\x80\x93 Fourteen users commented that finding documents in the\n                        system is difficult or that the folder and document organization\n                        within SLES is poorly organized and categorized. Users have\n                        remarked that unless they know the NS number14 of the document\n                        they are looking for, they may not be able to locate the documents\n                        within SLES. Moreover, many of the folders in SLES are empty.\n                        The Office of the Inspector General (OIG) reviewed 492 folders of\n                        the 5,699 folders within SLES, and found that 55 percent (272\n                        folders) of the folders reviewed contained no documents at all.\n\n                        The search function is poor as it is limited to \xe2\x80\x9cread\xe2\x80\x9d permission only\n                        \xe2\x80\x93 SLES is arranged so that users with only \xe2\x80\x9cbrowse\xe2\x80\x9d permission\n                        cannot see any results (document titles) when conducting a formal\n                        search through the SLES search engine.15 To see results when\n                        conducting formal document searches, users must have read\n                        permission.16 This is a problem because the default setting for all\n                        SLES users is set at browse permission, and even for those users\n                        with read permission, search results can still be extremely limited\n                        because users can only see search results to folders for which they\n                        have read permission.\n\n                        For example, if users had read permission to a folder containing\n                        Beaver Valley security information, the users would be able to\n                        search for any documents in the Beaver Valley folder and view all\n14\n   An NS number is a specific number assigned to every document in SLES, similar to the ML number in\nNRC\xe2\x80\x99s Agencywide Documents Access and Management System (ADAMS).\n15\n   If users have \xe2\x80\x9cbrowse\xe2\x80\x9d permission, they are able to see document titles only if they manually scroll\nthrough the entire inventory of SLES documents. Users with browse permission cannot do an actual\nsearch to identify a particular document.\n16\n   Permissions control what a user can do. Examples of SLES permissions include browse, read, and\nedit. Browse, the default user permission, simply allows users to scroll through SLES and view folder and\ndocument titles; read allows users to open and read the contents of all documents within a folder; and edit\nallows users to edit documents. Users must first obtain the need-to-know prior to receiving read or edit\npermissions.\n\n\n                                                     9\n\x0c        Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nof the results. But if the same users needed information located in\nanother folder where they only had the default browse permission\n(e.g., Independent Spent Fuel Storage Installations stored on\nBeaver Valley property), they would not see any search results\nbecause they do not have read permission for Beaver Valley\nIndependent Spent Fuel Storage Installations; therefore, users may\nthink the documents do not exist in SLES. In essence, if users\nhave not already obtained the need-to-know to read a document,\nthey will not even be able to search for it.\n\nSLES is slow to upload documents \xe2\x80\x93 Security inspectors typically\nupload into SLES the licensees\xe2\x80\x99 security plans and other plant\ninformation that are provided by licensees on CDs. Depending on\nthe amount of information provided, uploading the CDs may take\nseveral hours, or even days, to complete. Inspectors are required\nto be present at the workstation during the entire upload process\nsince they are dealing with SGI, and this upload process must\noccur at a shared kiosk workstation because personal SLES\ndesktop terminals do not accept removable media such as CDs.\n\nNuclear power plant based resident inspectors\xe2\x80\x99 SLES laptops are\nnot set up/functional \xe2\x80\x93 Several regional inspectors based in\nregional offices complained that many resident inspectors either\nhad their SLES laptops stored in a desk and not set up, or they had\nthe laptops set up but not functioning because of expired user\ncertificates due to non-use. Resident inspectors claimed the\nprimary reason for this was because they rarely work with SGI;\nhowever, non-functioning SLES laptops can inhibit visiting regional\ninspectors because the non-functionality precludes easy electronic\naccess to SGI and it encourages the regional inspectors to mail and\nuse paper SGI when conducting power plant inspections.\n\nSeveral security inspectors at NRC headquarters told auditors that\nthey would like to have a portable device, such as a tablet, to store\nand carry SGI with them during their power plant inspections. The\ntablet would not need to have access to the Internet or any\nnetworks, but would be able to hold previously downloaded SGI in\nelectronic format. OIG notes that this may provide more security\nthan hand-carrying SGI and would likely make the inspection\nprocess more efficient. An OIS IT specialist reported that there is\n\n                          10\n\x0c                                 Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                        currently a tablet pilot underway in NRC\xe2\x80\x99s Region II office, but at\n                        this time there are no plans to involve SGI in this pilot.\n\n                        It can be difficult to read maps and drawings in SLES \xe2\x80\x93 Security\n                        inspectors will often get electronic maps and drawings from\n                        licensees as part of their security documentation. These items are\n                        difficult to read at times, due to either being too small to see on the\n                        SLES monitor or too large to easily view everything on one page.\n                        Therefore, inspectors typically must print these items.\n\n                        SLES contains no audio capabilities \xe2\x80\x93 There are times when\n                        licensees provide security inspectors CDs or DVDs that contain\n                        video/audio presentations. While SLES has video capability, it\n                        cannot play any sound.\n\n                 Another goal for the development of SLES was to reduce the amount of\n                 SGI paper documents and the overall volume of SGI document storage\n                 space. While SLES has reduced a large volume of SGI paper documents,\n                 there still remains a large amount within the agency. For example:\n\n                        All offices provided NSIR their SGI documents to be input into\n                        SLES; however, certain offices continue to maintain paper copies\n                        as well. According to an Office of the Secretary staffer, the office is\n                        to maintain their SGI documents as official records to meet National\n                        Archives and Records Administration requirements. Additionally,\n                        an enforcement specialist in one of NRC\xe2\x80\x99s regional offices asserted\n                        that regulations17 state that all unclassified SGI paper documents\n                        related to enforcement actions that are not considered \xe2\x80\x9csignificant\xe2\x80\x9d\n                        must be kept at least 2 years.\n\n                        Certain individuals hold on to their SGI documents because there is\n                        no formal workflow process whereby users are notified when their\n                        documents have been entered into SLES. Due to this uncertainty,\n                        some people prefer to maintain a hard copy of documents they\n                        submitted.\n\n                        NRC regional offices still maintain SGI safes.\n\n\n\n17\n     NRC Comprehensive Records Disposition Schedule, NUREG-0910, Revision 4.\n                                                   11\n\x0c               Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n      NSIR maintains approximately 23 lock bar cabinets containing SGI.\n      In addition, NSIR stores some SGI in General Services\n      Administration-approved safes intended for classified information.\n\n      Within NRC headquarters, an \xe2\x80\x9cOIS Vault\xe2\x80\x9d contains roughly 375\n      cubic feet of NRC\xe2\x80\x99s confidential documents, including SGI. The\n      vault, a locked room approximately the size of a standard\n      conference room, once served as the official storage area for the\n      agency\xe2\x80\x99s sensitive documents prior to the creation of the\n      Agencywide Documents Access and Management System and\n      SLES. It is unknown exactly how many SGI documents are stored\n      in the vault, although OIS management estimates that roughly one-\n      half to three-fourths of the documents within the vault are SGI.\n\nWhile the agency still maintains a large amount of SGI paper documents,\nNSIR nonetheless has made progress in reducing the overall volume of\nSGI paper documents. Since 2010, NSIR has removed over 80 SGI lock\nbar cabinets from its office space alone. In addition, while the regional\noffices still maintain some SGI cabinets or safes, regional staff claim the\namount of SGI paper documents and SGI lock bar cabinets has been\ngreatly reduced since NSIR began its paper reduction efforts. NSIR is still\nactively trying to eliminate SGI paper documents and lock bar cabinets\nand is currently teaming up with OIS to address the OIS vault in the near\nfuture.\n\nSLES Is Not a High Priority\n\nSLES has not fully met its users\xe2\x80\x99 needs because SLES has not been given\na high priority by NRC management. Specifically:\n\n          There is no single individual who serves as a business\n          champion for integrating SLES into the NRC business process.\n          The communication channels to discuss system issues between\n          SLES staff and its users are insufficient.\n\nNo SLES Business Champion\n\nWhile OIS and NSIR are both involved with SLES, there is no single\nindividual who serves as a business champion for SLES and its\n\n\n                                 12\n\x0c                                   Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                 processes. OIS is responsible for the IT and technical aspects of SLES,\n                 but business processes and policy are not under its purview. This\n                 responsibility falls under NSIR; however, the individual from NSIR who\n                 managed the system prior to its transfer to OIS is no longer employed by\n                 NRC. While this former NSIR employee continued to oversee SLES\n                 following its transfer to OIS, this was done on a strictly voluntary basis.\n                 After SLES was transferred to OIS, NSIR staff claim they provided\n                 guidance to OIS but technically no longer had any direct day-to-day SLES\n                 responsibilities; the office relies on its contractor to fulfill its records\n                 management responsibilities. A separate division within NSIR handles\n                 SGI and its policies, but its core duties do not include SLES.\n\n                 As NSIR and OIS are two distinct entities involved with SLES, there is no\n                 clear reporting structure that places someone in charge of \xe2\x80\x93 and who\n                 understands \xe2\x80\x93 both the IT and the business policy side of SLES. As an\n                 example, one possible solution identified by OIG to expedite uploads into\n                 SLES could be to change some of the existing thin client kiosks to fat\n                 clients18 for users who do a large amount of SGI uploading from CDs. An\n                 OIS official stated that this is theoretically possible, but it lacks the\n                 independent authority to make this change due to physical security\n                 concerns with fat client machines. Such a move would require not only\n                 upper management approval, but NSIR\xe2\x80\x99s involvement as well.\n\n                 Another issue is that many people have yet to embrace the use of SLES,\n                 and because they are not required to use the system, they continue to\n                 work with SGI paper documents. As noted earlier in the report, security\n                 inspectors will often mail SGI to power plants prior to their inspections for\n                 their use, and individuals and offices are often permitted to maintain their\n                 SGI paper documents after the documents have been uploaded into\n                 SLES. Additionally, SLES is not used for any formal concurrence process\n                 involving SGI; only SGI paper documents are used for this purpose.\n\n\n\n18\n  All SLES kiosks are composed of thin clients. A thin client is a computer which depends heavily on\nsome other computer (its server) to fulfill its traditional computational roles. Thin clients are barebone\ncomputer setups that do not contain any processors or data storage devices \xe2\x80\x93 they can be something as\nminimalistic as a monitor with a keyboard or mouse. A fat client is a networked computer with most\nresources installed locally, rather than distributed over a network as is the case with a thin client. Some\nadvantages of fat clients are a reduced load on the server and an ability to work independent of the\ncentral server. A fat client can also run faster than a thin client since fat clients store many applications\nlocally. However, thin clients are easier to protect from security risks and offer lower maintenance costs.\n\n\n\n                                                     13\n\x0c               Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nCommunication Is Insufficient\n\nCommunication channels to discuss system issues between SLES staff\nand its users are also inadequate. In the earlier years of SLES while the\nsystem was still under NSIR\xe2\x80\x99s ownership, NSIR would issue periodic\nnewsletters providing updates about the system. Furthermore, users\ncould join the E-Safe Enhancement Working Group to discuss system\nissues on a biweekly basis. The newsletters and working groups have\nsince been discontinued and many users are unaware of how to voice\ntheir concerns with the system. When OIG relayed the common user\ncomplaints to OIS, OIS staff were unaware of some of these system\nissues. In addition, one of the SLES regular users said the subject matter\nexperts, the individuals who created or owned the SGI, were never\nconsulted as to how the documents should be titled or categorized. This\nled to extra difficulty in locating files within SLES. When he later tried to\napproach the SLES team about this matter, he said the team was not\nreceptive to his recommendations or ideas.\n\nOIG notes that information system change control boards are considered\na best business practice for ensuring information system stakeholders\xe2\x80\x99\nconcerns are raised and analyzed over a system\xe2\x80\x99s lifecycle so that\nnecessary improvements can be made to the system to meet user needs.\nNational Institute of Standards and Technology Special Publication 800-\n128 defines a change control board as a group that represents various\norganization perspectives that has the collective responsibility and\nauthority to review and approve changes to an information system.\nAccording to Special Publication 800-128, the board is a check and\nbalance on configuration change activity, assuring that changes are held\nto organizationally defined criteria (e.g., scope, cost, impact on security)\nbefore being implemented.\n\nThough the communication channels between SLES staff and its system\nusers need improvement, it should be noted that the majority of SLES\nusers remarked that they are very pleased with the SLES help desk and\nthe overall support received. An OIS employee also stated that OIS would\nalways try to address any user\xe2\x80\x99s concerns as long as OIS is aware of the\nproblem. For example, during the course of this audit, OIG learned that\nNRC\xe2\x80\x99s Technical Training Center did not have access to SLES even\nthough it provides training to security inspectors. OIG notified OIS of the\n\n\n\n                                 14\n\x0c                                 Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n               issue and OIS immediately contacted individuals at the Technical Training\n               Center to discuss the matter. OIS has since approved the change and\n               anticipates installing four SLES workstations at the Technical Training\n               Center by the end of March 2013.\n\n               SLES Not Utilized To Its Potential, Possibly Resulting in Fiscal Waste\n\n               SLES is not used to its potential and more resources must be used to\n               maintain paper records possibly resulting in fiscal waste. OIS staff\n               reported that SLES has roughly 620 total user accounts, but\n               approximately only 50 \xe2\x80\x9cregular\xe2\x80\x9d19 SLES users. Furthermore, according to\n               a Property Management Specialist in the Office of Administration, each\n               lock bar cabinet/safe that stores SGI costs $1,054, and the safes, in\n               particular, are \xe2\x80\x9cflying off the shelves.\xe2\x80\x9d Using SLES on a consistent basis\n               would promote efficiency and would likely reduce paper, printing, mailing,\n               and storage costs.\n\n               Recommendations\n\n               OIG recommends that the Executive Director for Operations:\n\n               1. Designate an SLES business champion from senior management to\n                  integrate SLES into NRC business practices.\n\n               2. Establish a formal workflow process, similar to that used for the\n                  Agencywide Documents Access and Management System, to\n                  communicate the status of SLES (E-Safe) file uploads to SGI owners.\n\n               3. Evaluate and update the current folder structure to meet user needs.\n\n               4. Publish a folder guide to help users identify where SGI is stored within\n                  SLES.\n\n               5. Develop and implement a retrievable communication plan to\n                  communicate SLES updates, changes, etc., and to invite user\n                  feedback.\n\n\n\n\n19\n  OIS termed a regular user as someone who logged into SLES at least 4 times in the previous 30 days.\nThis does not include administrator accounts used by support personnel.\n                                                   15\n\x0c              Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n6. Develop and implement a change control process to routinely evaluate\n   and implement any changes to SLES. Include members from the\n   technical (OIS) and policy (NSIR) sides of SLES, as well as a\n   representative from a Regional office, and gather user concerns from\n   the SLES community.\n\n\n\n\n                                16\n\x0c                    Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nB.   Access Rights Are Inconsistent\n\n     Federal regulations mandate security controls to protect systems and\n     networks from inappropriate access and unauthorized use. SLES access\n     rights do not consistently meet the intent of the SGI \xe2\x80\x9cneed-to-know\xe2\x80\x9d\n     requirement or an information system\xe2\x80\x99s \xe2\x80\x9cleast privilege\xe2\x80\x9d principle because\n     there is no standard process for granting SGI access to individuals or for\n     verifying user access rights. Providing SLES users access rights that\n     exceed an individual\xe2\x80\x99s need-to-know or go beyond organizational business\n     needs increases the risk that SGI could be compromised. Additionally, not\n     having a formal policy in place limits access to some individuals who may\n     need SGI access to effectively do their jobs.\n\n     The \xe2\x80\x9cNeed-To-Know\xe2\x80\x9d Requirement and \xe2\x80\x9cLeast Privilege\xe2\x80\x9d Principle\n\n     Federal regulations mandate security controls to protect systems and\n     networks from inappropriate access and unauthorized use. Per Title 10,\n     Code of Federal Regulations, Section 73.2 (10 CFR 73.2), \xe2\x80\x9cneed-to-know\xe2\x80\x9d\n     means a determination by a person having responsibility for protecting\n     SGI, such as the originator of the material, that a proposed recipient\xe2\x80\x99s\n     access to SGI is necessary in the performance of official, contractual,\n     licensee, applicant, or certificate holder employment. Additionally, 10 CFR\n     73.22 requires that anyone requesting access to SGI must meet this need-\n     to-know requirement. Except as the Commission may otherwise\n     authorize, no person may disclose safeguards information to any other\n     person.\n\n     Federal Government internal controls standards for information systems\n     recommend access security controls to protect systems and networks\n     from inappropriate access and unauthorized use. Specifically, the\n     National Institute of Standards and Technology Guidance Special\n     Publication 800-53 recommends the \xe2\x80\x9cleast privilege\xe2\x80\x9d principle. Simply put,\n     the principle of least privilege requires that a user be given no more\n     privilege than necessary to perform a job. Ensuring least privilege\n     requires identifying what the user\'s job is, determining the minimum set of\n     privileges required to perform that job, and restricting the user to a domain\n     with those privileges and nothing more.\n\n\n\n\n                                      17\n\x0c               Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nSLES Folder Access Is Inconsistent With Need-To-Know\nRequirement and Least Privilege Principle\n\nSLES access rights do not consistently meet the intent of the SGI need-to-\nknow requirement or an information system\xe2\x80\x99s least privilege principle. As\nmentioned in the background section of this report, SLES users gain\naccess to SGI documents by having their branch chief contact the SLES\nhelp desk and providing this authorization. However, this does not align\nwith standard SGI policy stated in the Code of Federal Regulations which\nstates that the person responsible for protecting the SGI, such as the\ndocument owner, is responsible for providing the need-to-know\nauthorization. An NSIR staff member responsible for standard SGI policy\ntold OIG he was unaware that the SLES policy was different from the\nregulation until OIG brought it to his attention. He remarked that this\ndiscrepancy could be an issue because a branch chief technically does\nnot have the authority to grant need-to-know access since the branch\nchief is not the originator or possessor of the document. He agreed that\nthe SLES policy is not consistent with the NRC Management Directives or\nthe regulation. In essence, SLES allows users to gain access to SGI\nwithout contacting the protector or owner of the information.\nThe least privilege principle may also be violated if users receive access\nto folders and documents simply by belonging to a user group. As\nmentioned in the background section of the report, SLES stores all SGI\ndocuments in folders with other related SGI documents. To receive\naccess to a particular folder, users must be part of a user group with read\npermission to that folder. However, user groups may also have access to\nseveral different folders within SLES.\n\nTherefore, when users need access to a given document, they receive\naccess to all documents within that particular folder as well as to several\nother folders they may not need. Essentially, users receive access to SGI\ndocuments based on the user groups they belong to and not based on the\nprinciple of accessing only the information they need to perform their jobs.\n\nWhile several SLES users may have access to documents they may not\nneed, a common complaint by users \xe2\x80\x93 especially by those in the regions \xe2\x80\x93\nis that they do not readily have access to documents they do need in\nSLES, and that the branch chief approval process is inefficient. One\nresident inspector claimed that he could not access any SLES documents\nrelated to his own power plant without first getting approval from his offsite\n\n                                 18\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                branch chief. Until this is changed, he said he would not use SLES\n                because it is a major inconvenience. He stated that he has to \xe2\x80\x9cjump\n                through hoops\xe2\x80\x9d to get the necessary approval to access his own plant\xe2\x80\x99s\n                documents and that it was simply easier to go to the licensee\xe2\x80\x99s safe and\n                view SGI documents there.\n\n                Several users commented that getting the approval to access SLES\n                documents is sometimes untimely and burdensome depending on the\n                availability of the branch chief or how long it may take the branch chief to\n                contact the SLES help desk. Since the process is not always efficient,\n                some users claim they simply go directly to the licensee or contact\n                someone in NSIR to obtain access to documents in SLES.\n\n                There Is No Standard Process for Granting or Verifying Access to\n                SGI\n\n                SLES access rights do not consistently meet the intent of the SGI need-to-\n                know requirement or an information system\xe2\x80\x99s least privilege principle\n                because there is no standard process for granting SGI access to\n                individuals or for verifying user access rights. Since there are no owners\n                of SGI folders or documents within SLES,20 user access is provided rather\n                haphazardly by the SLES help desk. The complicated system setup of\n                assigning individuals to user groups with specific permissions to folders\n                containing SGI does not allow for the need-to-know requirement and least\n                privilege principle to be easily followed. While the SLES help desk\n                provides access to SGI, it is only doing as instructed by the individual\n                branch chief (who is simply acting on behalf of each requesting user).\n                And although the help desk and SLES program in general are run by OIS,\n                OIS is not familiar with \xe2\x80\x93 or responsible for \xe2\x80\x93 the SGI need-to-know\n                policies; this responsibility belongs to NSIR.\n\n                NRC also lacks procedures to conduct a periodic review of user folder\n                access. After reviewing SLES user records, OIG interviewed 27 NRC\n                employees who had read rights to folders within SLES. Of the 27\n                interviewed, 4 claimed that they had read rights to more folders than they\n                needed and 18 stated they did not need access to SLES at all.\n\n\n\n20\n   Due to the sensitive nature of the information, there are only two SLES folders that have an actual\nfolder owner: Target Sets and Force on Force, which are overseen by an individual in NSIR. Only the\nassigned folder owner can make the need-to-know determination when users request access.\n                                                    19\n\x0c                                  Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                Furthermore, eight SLES user accounts belonged to people no longer\n                employed by NRC.21 In sum, there was no process to identify users who\n                no longer needed access to SLES or who may have only required limited\n                access.\n\n                SGI Could Be Compromised\n\n                Granting SLES users access rights that exceed individual or\n                organizational business needs increases the risk that SGI could be\n                intentionally or accidentally compromised. Tighter enforcement of the\n                need-to-know requirement and least privilege principle to NRC staff that\n                use SLES would provide an automated control to prevent possible data\n                loss. On the other hand, rules should not be so strict that they limit NRC\n                staff from effectively conducting their jobs. By having a formal policy in\n                place that takes into account the user\xe2\x80\x99s needs and responsibilities, NRC\n                staff may be able to use SLES more effectively while limiting security\n                risks.\n\n                Recommendation\n\n                OIG recommends that the Executive Director for Operations:\n\n                7. Develop a structured access process that is consistent with the SGI\n                need-to-know requirement and least privilege principle. This should\n                include:\n\n                            \xef\x82\x97 Establishing folder owners within SLES and providing the\n                              owners the authority to approve the need-to-know\n                              authorization (as opposed to branch chiefs).\n                            \xef\x82\x97 Conducting periodic reviews of user access to folders.\n                            \xef\x82\x97 Developing a standard process to grant user access.\n\n\n\n\n21\n  In the cases of ex-NRC staff still having SLES accounts, the risk is mitigated because a Personal\nIdentity Verification card is required to log into SLES. Employee exit procedures are in place to ensure\nthat employees surrender their Personal Identity Verification cards at the conclusion of their NRC\nemployment.\n                                                    20\n\x0c                        Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nIV.   CONSOLIDATED LIST OF RECOMMENDATIONS\n\n          OIG recommends that the Executive Director for Operations:\n\n             1. Designate an SLES business champion from senior management\n                to integrate SLES into NRC business practices.\n\n             2. Establish a formal workflow process, similar to that used for the\n                Agencywide Documents Access and Management System, to\n                communicate the status of SLES (E-Safe) file uploads to SGI\n                owners.\n\n             3. Evaluate and update the current folder structure to meet user\n                needs.\n\n             4. Publish a folder guide to help users identify where SGI is stored\n                within SLES.\n\n             5. Develop and implement a retrievable communication plan to\n                communicate SLES updates, changes, etc., and to invite user\n                feedback.\n\n             6. Develop and implement a change control process to routinely\n                evaluate and implement any changes to SLES. Include members\n                from the technical (OIS) and policy (NSIR) sides of SLES, as well\n                as a representative from a Regional office, and gather user\n                concerns from the SLES community.\n\n             7. Develop a structured access process that is consistent with the SGI\n                need-to-know requirement and least privilege principle. This should\n                include:\n                    \xef\x82\x97 Establishing folder owners within SLES and providing the\n                       owners the authority to approve the need-to-know\n                       authorization (as opposed to branch chiefs)\n                    \xef\x82\x97 Conducting periodic reviews of user access to folders.\n                    \xef\x82\x97 Developing a standard process to grant user access.\n\n\n\n\n                                          21\n\x0c                       Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nV.   AGENCY COMMENTS\n\n\n        At an exit conference on March 20, 2013, agency management stated\n        their agreement with the findings and recommendations in this report.\n        Agency management also provided supplemental information that has\n        been incorporated into this report, as appropriate. As a result, the agency\n        opted not to provide formal comments for inclusion in this report.\n\n\n\n\n                                         22\n\x0c                      Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\n                                                                                        Appendix\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\n        OBJECTIVE\n        The audit objective was to determine if SLES meets its operational\n        capabilities and applicable security controls.\n\n        SCOPE\n        The audit focused on reviewing the SLES system and ensuring it meets\n        user needs while complying with security requirements. We conducted\n        this system audit at NRC headquarters from July 2012 through December\n        2012. Internal controls related to the audit objective were reviewed and\n        analyzed. Throughout the audit, auditors were aware of the possibility or\n        existence of fraud, waste, or misuse in the program.\n\n        METHODOLOGY\n        OIG reviewed relevant Federal regulations and internal/external guidance\n        including:\n\n           -   Code of Federal Regulations, Title 10, Part 73, Section 22,\n               \xe2\x80\x9cProtection of Safeguards Information: Specific Requirements.\xe2\x80\x9d\n           -   The Paperwork Reduction Act of 1995.\n           -   National Institute of Standards and Technology Special Publication\n               800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\n               Systems and Organizations.\xe2\x80\x9d\n           -   A Staff Requirements Memorandum M040114A, "Briefing on the\n               Status of OCIO Programs, Performance, and Plans.\xe2\x80\x9d\n           -   Management Directive 12.7, \xe2\x80\x9cNRC Safeguards Information Security\n               Program.\xe2\x80\x9d\n           -   National Institute of Standards and Technology Special Publication\n               800-128, \xe2\x80\x9cGuide for Security-Focused Configuration Management\n               of Information Systems.\xe2\x80\x9d\n           -   OIG-12-A-12, \xe2\x80\x9cAudit of NRC\xe2\x80\x99s Protection of Safeguards\n               Information.\xe2\x80\x9d\n\n        Auditors also used the SLES system and reviewed hundreds of SLES\n        folders, user groups, user names, and permissions in conducting data\n        analysis and identifying any possible trends.\n\n\n\n                                        23\n\x0c               Audit of NRC\xe2\x80\x99s Safeguards Information Local Area Network and Electronic Safe\n\n\n\nAt NRC headquarters, in Rockville, Maryland, auditors interviewed NSIR\nand OIS staff, including contractors assigned to both NSIR and OIS, to\ngain an understanding of their roles and responsibilities related to the\nSLES system. Auditors also conducted numerous telephone interviews of\nNRC regional staff, resident inspectors, and NRC headquarters staff and\nmanagement who were listed as SLES users. Auditors viewed a\ndemonstration of the SLES system and also witnessed a failover test\nconducted by NSIR illustrating the redundant features of SLES.\n\nWe conducted this performance audit in accordance with generally\naccepted Government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our\naudit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit\nobjectives.\n\nThe audit work was conducted by Beth Serepca, Team Leader; Rebecca\nUnderhill, Audit Manager; Larry Vaught, Senior Auditor; and Michael Blair,\nSenior Management Analyst.\n\n\n\n\n                                 24\n\x0c'